Not only is it Manufacturing Month, but October also is National Cybersecurity Awareness Month. To mark the occasion, Smart Industry Managing Editor Scott Achelpohl recruited Joe Anderson of Ohio-based TechSolve to talk about how robust cyber defenses can start with up-to-date password practices and policies.
See also: Speak up, add your voice to our 2024 State of Initiative Report
See also: Why communication is as vital as technical skills for manufacturing cybersecurity teams
Anderson is a big “get” for Smart Industry—an IT and info security pro with over 25 years of industry experience, possessing several cybersecurity certifications. His company, among other IT services, helps small manufacturers (TechSolve is part of the Manufacturing Extension Partnership in Ohio) tackle cybersecurity compliance challenges and risk management.
For manufacturers and the shop floor, cybersecurity and secure OT and IT requires constant vigilance. One of the most common-sense strategies for this is password security—and for lots of companies, mandatory policies relating to passwords often become necessary. Look at examples like Clorox recently: A breach, any breach, can cost millions in “ransom” to cyberattackers and in production downtime. And passwords are often easily hacked.
Some important cybersecurity context that came to Smart Industry this week shortly after the discussion with Joe Anderson:
According to San Mateo, California-based Kiteworks, vendor of a secure encrypted file-sharing content communications platform, manufacturing sector has experienced a significant surge in its cybersecurity “risk score’ over the past few years, particularly 2022 and 2023 headed into this year.
According to the company’s 2024 Risk Score Index Report, the sector's risk score rose from 4.9 in 2022 to 5.8 in 2023, marking an 18.37% increase. However, the most recent data for the first half of 2024 shows a dramatic spike in the risk score to 8.6, compared to 3.9 in the first half of 2023. This recent surge represents a 120.51% increase, indicating a severe escalation in cyber threats or a series of high-impact breaches in the sector.
See also: The state of OT security
The financial impact of these breaches is substantial, according to another report. According to IBM's Cost of a Data Breach Report, the average cost of a breach in manufacturing increased significantly—from $4.66 million in 2023 to $5.45 million this year, or a 14.93% costs increase.
Manufacturing's cybersecurity landscape shows a trend of increasing vulnerability, according to Kiteworks. The number of data compromises rose by 3.86% from 2022 to 2023, with 259 incidents reported in 2023 compared to 249 in 2022. The first half of 2024 saw a further increase, with 151 incidents compared to 112 in the same period of 2023, or 34.82% more.
See also: How automated patching shields vulnerable manufacturing from cyberattacks
The human impact of these breaches has escalated dramatically, according to Kiteworks. In 2022, about 24 million individuals were affected by data breaches in manufacturing. This decreased to 5 million in 2023, but the first half of this year has seen a significant increase in the number of victims, with 50.4 million affected individuals, compared to 1.38 million in the first half of 2023. This represents a 3,552.53% increase in human victims of cyberattacks.
Below is an excerpt from the podcast:
Scott Achelpohl: For manufacturers on the shop floor, cybersecurity and secure OT and IT require constant vigilance. One of the most common-sense strategies for this is password security. And for lots of companies, to put in mandatory policies relating to passwords often becomes necessary. Look at examples like Clorox. A breach, any breach, can cost millions in ransom to cyberattackers and in production downtime, and it is passwords that are often hacked. Better password practices often are part of a larger zero-trust approach against cyber threats.
eHandbook: Cybersecurity
According to several studies, manufacturers are at the top when it comes to attacks. Nearly half of them experienced a data breach within the last two years, according to one researcher. And what's one of the top defenses against breaches? Better and stronger passwords on machines that hold or have access to company data.
Another note, a Georgia Tech University cybersecurity study last year shockingly found that more than half of all websites they've examined accepted passwords with six characters or less, with 75% failing to require the recommended eight-character minimum. You simply can't let your systems, internal supplier, or public facing be this easy to breach, and better password policies are among the easiest to implement company wide. And I should mention that not only is it Manufacturing Month, but October also is National Cybersecurity Awareness Month. So make sure your company is aware and is or has raised its shield, so to speak, to borrow a line from Star Trek, in this regard. But our expert here is Joe. So let's see if he wants to weigh in with his two cents before I ask him some specific questions.
See also: Crucial role of cybersecurity protection for PLCs
Joe Anderson: I'm glad that we have a month dedicated to information security because we, as a society, need everyone to understand that this is a team sport. Everyone plays a part, and we need to have a general security awareness for the risks and the challenges that we face. You cannot turn on the news or read an article without seeing this site was hacked, that company brought down, or sensitive records were released to the public. We definitely have our work cut out for us, that's for sure.
SA: Now I've got some questions for you about our topic today of password practices and policies. I'll try to be gentle; I promise.
Here's the first question. Joe, tell us about the current threat landscape and how password policies of protection matter more than ever. Is it mostly a matter that there are more devices than ever and therefore more risk?
JA: First off, I appreciate you saying that I'm an expert, but it's really difficult to be an expert in this field, as you can imagine. There's so much to learn, lots I know, lots I don't know, and I'm not sure if we can truly master all of the things that we need. I will say that I've had some great opportunities to help others and that I'm a lifelong learner, so that helps.
See also: Optimizing your OT/IT cybersecurity strategy for an Industry 4.0 world
To answer your questions, I would say yes, to an extent, but there's more to it than that. A bit more about the current threat landscape first. As you know, our modern world relies on this interconnectivity and exchanging of information. If we could just unplug our systems from all the networks, then there would be less risk overall. But we would also not be able to function.
There's something like 50 to 100 vulnerabilities discovered every day in the systems that we rely on. Security researchers work hard to find these vulnerabilities and responsibly disclose them to all of the different vendors so that they can be patched. This is a challenging task for all involved, especially for IT personnel who have to apply the patches while minimizing downtime or causing some unintended issue resulting from an improper patch, let's say. We often say that our job has to be performed without making a mistake because all it takes is for our adversary to find that one mistake that we made, which completely upends everything we were trying to prevent.
Webinar: Tons of tips from three experts on ‘Being Digital’
As far as passwords are concerned, this is an area where the general user base has an active participation within. They have an aspect of organizational security where they often get to select the passwords they want to use. Their credentials are used to obtain access to the various systems, the services, and data to do their jobs. In some cases, this access is available remotely. Unfortunately, opportunities to obtain unauthorized access is available to the bad folks as well.
What we're trying to do is to protect user accounts from an unauthorized access. As more companies had to pivot more towards remote work during the pandemic, remote access was critical. Now more than ever, companies are migrating more things to the cloud and access is available in that way. All of this drastically increases the risk level.
SA: With any company password policy, what do you tell employees? What's the forward-facing dialogue a company CIO or a chief information security officer must have with staff?
JA: In some cases, it's simple. If there's some compliance requirement that forces them to do it, then that is the motivation to implement a proper policy. Compliance requirements may come from cyber insurance carriers, or it may come as a requirement from a strategic partnership. We're seeing more small- to mid-size manufacturers come to us saying we are a supplier to another large company, and they're requiring us to improve our security because we have access to their systems or data. If that is not the case, then I have to break down the risk, explaining to them that people are not great at picking strong passwords or unique passwords, for that matter. All it takes is for one set of credentials to leak out and that may provide access to a system and all of the sensitive information that may be contained within it. One of the biggest ones is access to e-mail accounts. The wealth of information contained within it is staggering.